> You Are Here > Research Admin Home > Support & Resources at Harvard > Training & Learning Resources > Regulatory Resources: HIPAA
printer friendly
back to TOC
 
  Finding Sponsored Funding
  Preparing a Sponsored Proposal
Setting Up a Sponsored Award
Managing a Sponsored Award
Closing Out a Sponsored Award
Support & Resources at Harvard
  Getting Started Guide
  Training & Learning Resources
  Special Topics
  Current & Historical Rates
  Related Harvard Web Sites
  Sponsored Research Policies
  OSR Annual Financial Reports
  News
  About Us
  Contacts
 
  Other Web Links
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

What is HIPAA?         back to top

HIPAA is a federal law that was enacted in 1996 and created in response to concerns about the use and dissemination of PHI in an age when computers allow for easy access to and sharing of data. It defines how individuals will be informed of uses and disclosures of their medical information; sets forth the rights of individuals to access health information about them held by health-care providers; and mandates the establishment of privacy officers and boards, in addition to policies and procedures for data sharing.

Under HIPAA the Department of Health and Human Services (DHHS) was obligated to create privacy regulations, known as the HIPAA Privacy Rule, which go into effect on April 14, 2003. The Privacy Rule protects the privacy of individually identifiable health information, such as medical history, diagnosis, treatment or payment information. Known as "protected health information" or PHI, this information also includes demographic information that is maintained with health information, e.g., an individual's date of birth and social security number. HIPAA protection applies to all forms of PHI both electronic and paper.

Most research involving human subjects operates under the Common Rule (45 CFR part 46) and/or the Food and Drug Administration (FDA) human subject protection regulations (21 CFR Parts 50 and 56), which have some provisions that are similar to but separate from the HIPAA Privacy Rule research provisions. The Common Rule and FDA regulations, which apply to federally funded and some privately funded research, include protections to help ensure the privacy of subjects and confidentiality of information. The HIPAA Privacy Rule builds upon these existing Federal protections, creating a baseline of privacy protection for all individuals and their PHI. Each state's laws build on the HIPAA platform so that the higher standard will always prevail.

Although HIPAA will present challenges to researchers who study health issues, Harvard's compliance efforts should be viewed as an opportunity to demonstrate to the public that scientists treat confidential information responsibly.

How the HIPAA Privacy Rule Affects Research at Harvard University         back to top

HIPAA regulations apply to individuals, organizations or institutions considered "covered entities." These include health care providers, health plans, and health care clearinghouses. In this context, health care providers include hospitals, physicians, and other caregivers, as well as researchers who work for covered entities and researchers who combine research with health care services, such as clinicians conducting clinical drug trials. The Privacy Rule does not apply directly to other researchers.

Harvard University is not a covered entity under HIPAA. It is a "hybrid entity," consisting of both covered and non-covered components. The University's covered components include the University Health Service (UHS), the Dental School Dental Clinics, and the Harvard University Group Health Plan (HUGHP). All other parts of the University including researchers whose research involves health care information are not considered covered components.

Our focus in this website is on how work processes and culture will change for you as faculty and researchers working within the non-covered components of the University, as distinct from Harvard-affiliated hospitals and those portions of the University deemed to be covered components under HIPAA. If you do not provide healthcare, your research data does not include PHI, and your research is not carried out at a covered entity, your work will not be affected by the HIPAA Privacy Rule.

For excellent resources about HIPAA at Harvard-affiliated hospitals, see the HIPAA web pages of the Partners Healthcare System.

For information about HIPAA, see the web pages of Risk Management and Audit Services

How will HIPAA Affect My Work?         back to top

Assuming that PHI does play a role in your research, the HIPAA Privacy Rule may affect several areas of your work life.

  • Hop on a new learning curve. You will have to put time and energy into learning about, and adjusting to, the new research environment shaped by the HIPAA Privacy Rule. You will be in good company, as everyone else has to do the same.
  • Access to data will never be the same again. You will have to communicate proactively with your sources of data if they are covered entities under HIPAA. You will have to identify pathways to access data and the "hoops" you must jump through and cooperate in these processes.
  • More visits to your pre-award sponsored research office. You may have to get special data agreements in order to access PHI from covered entities. Your pre-award grants administration team will guide you and facilitate these agreements.
  • More fine print. You will have to exercise caution and compliance with written contracts before you re-use or re-disclose protected health information (PHI) to other parties.
  • Better record-keeping and data security. In order to keep track of, and fulfill, your obligations to protect PHI from re-use and re-disclosure to unauthorized parties, you will have to keep good records of your data and other agreements. You will have to work harder than ever to ensure the security of your research data. This should mean good organization and management of all research staff who share the responsibility and privileges of working with PHI for research purposes.
  • Another kind of audit to consider. Federal agencies will be responsible for monitoring compliance with the HIPAA Privacy Rule. The Department of Health and Human Services (DHHS) and the Office for Civil Rights (OCR) will have oversight and authority for civil enforcement. The Department of Justice will enforce criminal penalties for HIPAA Privacy Rule violations.
  • Effects on feasibility, design, cost and schedule of research proposals. You will need to integrate HIPAA Privacy Rule implementation into your research proposals and grant applications.
  • More involvement of IRBs. In addition to reviewing and approving your research with human subjects, your IRB is serving as a resource for learning about the HIPAA Privacy Rule. Your IRB will also serve as a Privacy Board to review requests for waivers of patient authorization or alterations of patient authorization. Such waivers, if approved, can allow you access to PHI from covered entities without patients' giving authorization as otherwise required under the Privacy Rule.
  • Just maybe, more willing research participants. If the theory is correct, enrollment of Americans in research using their PHI may increase. The HIPAA Privacy Rule is intended to ensure a new standard "floor" of protection for individually identifiable health information. If this works, it may mean that over time, Americans will feel more inclined to participate in research, since the risks of harm to their privacy and confidentiality will be lower than ever.

As a researcher seeking data, your first task is to find out if the data exist as PHI at a covered entity. If the entity holding the data is not a covered entity, then you do not need to concern yourself with the HIPAA Privacy Rule to obtain the data, unless the entity passes along secondary restrictions to you in disclosing the data. The pre-award sponsored research office that serves your school is available to help you obtain these data.

If the data source is a covered entity, you should work with the covered entity's Privacy Officer for reliable information about the workings of HIPAA and to establish which of the permissible paths to access the PHI are available to you. Both your IRB office and pre-award sponsored research office are available to assist you.

Pathways for Access to PHI from a Covered Entity         back to top

         Activities preparatory to research

         Access to PHI through authorizations

         Access to PHI through an IRB Waiver under the HIPAA criteria

         Access to PHI through Limited Data Sets

         Access to PHI through De-identification of Data Sets

         Research involving decedents

HIPAA and the NIH         back to top

The NIH is not involved in enforcing or monitoring compliance with the HIPAA Privacy Rule, but has published guidance, Impact of the HIPAA Privacy Rule on NIH Processes involving the Review, Funding and Progress Monitoring of Grants, Cooperative Agreements and Research Contracts . The NIH is developing educational materials for researchers, in collaboration with other DHHS research agencies.

The HIPAA Privacy Rule may affect the feasibility, design, and cost of NIH-supported research. As the PHS 398 instructions indicate, you should discuss these issues, as needed, in the research plan and budget sections of the application. Some Requests for Applications (RFA) and Program Announcements (PA) soliciting applications for specific areas of research may require submission of a plan for acquiring or accessing data under HIPAA. In such cases, the review criteria listed in the RFA or PA could be augmented to include a discussion of the adequacy of such plans and reviewers would be asked to evaluate these. When reviewing progress, NIH will continue the practice of evaluating situations that significantly delay the study, change the study design or change the cost of the research. Bear in mind that significant delays, changes to, or increases in the cost of research requireprior approval of NIH.

For general questions about how the HIPAA Privacy Rule may affect the review, funding, and progress monitoring of NIH grants, cooperative agreements, and research contracts, you should contact program and grants management staff at the NIH institutes relevant to your area of scientific interest.

Frequently Asked Questions         back to top

Links for general information         back to top

Links for the PI         back to top

Links for the IRB         back to top

 

Finding Sponsored Funding | Preparing Proposal | Setting Up Sponsored Award | Managing a Sponsored Award | Closing Out a Sponsored Award
Support and Resources at Harvard | Other Web Sites

Send your questions or comments about the web site to osr_webmaster@harvard.edu

Site Designed by NetCasters, Inc.